Data Processing Agreement

According to the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter referred to as the "GDPR"), Provider (hereinafter referred to as the "Processor") and You (hereinafter referred to as the "Controller") are entering into the data processing contractual relationship in order to define the terms and conditions for the processing of personal data, the manner of its protection, as well as to define other rights and obligations of the both parties in the processing of personal data of data subjects on behalf of the Controller during the course of performing the subject matter of these Terms as the main contract.

1. Personal Data Processing. The services provided in compliance with these Terms may include processing of information relating to an identified or identifiable natural person listed in Privacy Policy of service available on help.eset.com website (hereinafter referred to as the "Personal data").

2. Authorization. The Controller authorizes the Processor to process Personal Data, including

(i) “Purpose of processing” shall mean provision of services in compliance with these Terms,

(ii) processing period shall mean period from entering mutual cooperation under these Terms to termination of services,

(iii) scope and categories of Personal data shall include general personal data, excluding any and all special categories of personal data,

(iv) “Data subject” shall mean natural person as authorized user of Controller’s devices,

(v) processing operations shall mean every and all operations necessary for the purpose of processing,

(vi) “Documented instructions” shall mean instructions described in these Terms, its Annexes, Privacy Policy and documentation of service.

3. Obligations of Processor. The Processor shall be obliged to:

(i) process Personal Data only on the grounds of Documented instructions,

(ii) ensure that persons authorized to process the Personal data have committed themselves to confidentiality,

(iii) take all measures described in these Terms, its Annexes, Privacy Policy and documentation of service,

(iv) assist the Controller with responding to requests for exercising the Data subject's rights, security of processing as described in par. iii of this article and notification of personal data breach to the supervisory authority and Data Subject,

(v) delete or return all the Personal data to the Controller after the end of the provision of services relating to processing,

(vi) keep an up-to-date register of all the categories of processing activities that it has carried out on behalf of Controller,

(vii) make available to the Controller all information necessary to demonstrate compliance as part of these Terms, its Annexes, Privacy Policy and documentation of service.

4. Engaging Another Processor. The Processor is entitled to engage another processor for carrying out specific processing activities such as provision of cloud storage and infrastructure for the service in compliance with these Terms, this Annex, Privacy Policy and documentation of service. Even in this case, the Processor shall remain the only point of contact and the party responsible for compliance.

5. Territory of Processing. The Processor ensures that processing takes place in the European Economic Area or a country designated as safe by decision of European Commission based on the decision of Controller. Standard Contractual Clauses shall apply in case of transfers and processing located outside of European Economic Area or a country designated as safe by decision of European Commission.

6. Security. The Processor is ISO 27001:2013 certified and uses the ISO 27001 framework to implement a layered defense security strategy when applying security controls on the layer of network, operating systems, databases, applications, personnel and operating processes. Compliance with the regulatory and contractual requirements is regularly assessed and reviewed similarly to other infrastructure and processes of Processor, and necessary steps are taken to provide compliance on a continuous basis. The Processor has organized the security of the data using ISMS, on the basis of ISO 27001. The security documentation includes mainly policy documents for information security, physical security and security of equipment, incident management, handling of data leaks and security incidents, etc.

7. Processor’s Contact Information. All notifications, requests, demands and other communication concerning personal data protection shall be addressed to ESET, spol. s.r.o., attention of: Data Protection Officer, Einsteinova 24, 85101 Bratislava, Slovak Republic, email: dpo@eset.sk.